At 2:30 a.m., Wolfgang Reichmann’s phone rings. Rheinmetall’s Chief Information Security Officer knows immediately that this is not good news. An hour later, the situation is clear: the company is under attack by ransomware, which is encrypting vital data. At 3:45 a.m., Reichmann makes a drastic decision after consulting closely with the security team and IT management: “Shut down the systems and take them offline.” It was only through the level-headed, swift, and decisive action of everyone involved that the Group was able to avert greater damage. When Wolfgang Reichmann talks about his responsibilities, it becomes clear that cyberwarfare has been a reality for many years. Since 2020, he has been the Chief Information Security Officer (CISO) at Rheinmetall IT, responsible for the security of the Group’s data, networks, and applications. These days, companies and public authorities are increasingly exposed to malware attacks. Cybercriminals aim at stealing sensitive data, manipulating systems, or – a practice that has become particularly widespread – extorting millions in ransom. Previously, an external service provider managed Rheinmetall’s IT operations. Considering the current threat level, taking back responsibility in-house has proven to be the right decision.

Wide-ranging scope of activity

In recent years, Rheinmetall has invested heavily in security technology and skilled personnel. Today, the security team comprises nearly 80 people working worldwide. Most of these employees work in the Security Operations Centre based in Germany. The setting is reminiscent of the command centre from a James Bond movie: the room is dimly lit, with a world map displaying all Rheinmetall sites projected onto a large video wall. In front of it, IT specialists sit in front of their monitors, observing every detail on the network so they can initiate defensive measures immediately.

The number and scale of cyberattacks have risen dramatically, particularly since the start of the war in Ukraine. These attacks are no longer just the work of hacker groups, but also of state actors who have ample funding and other resources.

The nature of the attacks is changing

The modus operandi has also changed in recent years. “We are observing a clear shift towards so-called third-party attacks,” explains Wolfgang Reichmann. In such attacks, it is not the company itself that is targeted, but rather individual employees or service providers. “They often don’t even realise that they’re acting as a gateway,” says the CISO. Attackers use fake social media accounts, manipulated websites, or fake PDF documents containing malware. This code is specifically tailored to the company in question.

“Traditional threats, such as viruses and phishing, are becoming less significant,” says Reichmann. “Today’s cyberattacks are more sophisticated and increasingly target the human factor. This is why it is crucial to respond quickly, consistently, and appropriately in an emergency, as well as taking the right preventive measures. This can be achieved by using modern technologies and targeted training and awareness initiatives for all employees.” The Group’s IT security therefore also lies in the hands of the workforce, emphasises the CISO. “Those who act attentively and cautiously can significantly minimise the risk of external attacks.”

Always one step ahead

Cyber defence also means staying one step ahead at all times. For the security team, this involves analysing a vast amount of data. “Here, we collect what are known as ‘events’ – around 50 to 60 million a day,” explains Reichmann. But what does that mean? “Employee XY successfully logged into her computer at 07:26 with the correct password – that’s an event.” Some of these processes reveal anomalies. Most can be dealt with as part of routine procedures. But every now and then, the alarm bells ring louder. “That’s when our specialists step in, dissecting bits and bytes to investigate the anomaly,” reports Reichmann. “They could just as well be working as hackers.” The Cyber Defence Team often knows who is on the other side. Reichmann explains, “There are a number of targeted groups that focus on attacking companies in the defence sector.”

“We have an exceptionally good team,” emphasises the CSIO. “We have young talents who have just finished their training, older staff with plenty of experience, people from other sectors, and the typical ‘nerds’. We also have a high proportion of women. In my experience, the more diverse the team, the better.” Everyone has the same right to express their opinions, thoughts, or even criticism. “There’s no hierarchical mindset,” says Reichmann. “If my door is open, anyone can pop in. Any time. Whether they’re a department head or an intern.”

“Nothing is easier to attack than AI”

Could artificial intelligence help to protect companies such as Rheinmetall from cyberattacks? Security experts are divided on this issue. “Many people think AI is the solution to a wide range of problems. This is partly true, as AI-based functionalities will help us analyse potential security incidents in the future.” At the same time, however, Reichmann warns: “The risk of attacks on AI systems cannot yet be fully assessed. From a cybersecurity perspective, this is currently a moving target – almost nothing is easier to attack than AI.”

The challenges for Wolfgang Reichmann and the entire security team will not decrease in the coming years. On the contrary, their workload is growing, particularly when it comes to protecting the company online. “Yes, there are many threats coming from all sorts of directions,” ­Reichmann notes. “But we have them under control.”